SUSE-SU-2025:20862-1: moderate: Security update for chrony

SLE-UPDATES null at suse.de
Fri Oct 24 20:30:34 UTC 2025 


# Security update for chrony

Announcement ID: SUSE-SU-2025:20862-1  
Release Date: 2025-10-17T12:02:52Z  
Rating: moderate  
References:

  * bsc#1246544

  
Affected Products:

  * SUSE Linux Micro 6.1

  
  
An update that has one fix can now be installed.

## Description:

This update for chrony fixes the following issues:

  * Update to version 4.8:
  * Add maxunreach option to limit selection of unreachable sources
  * Add -u option to chronyc to drop root privileges (default chronyc user is
    set by configure script)
  * Fix refclock extpps option to work on Linux >= 6.15
  * Validate refclock samples for reachability updates

  * Fix racy socket creation which allows privilege escalation to root
    (bsc#1246544)

  * Update to version 4.7:

  * Add opencommands directive to select remote monitoring commands
  * Add interval option to driftfile directive
  * Add waitsynced and waitunsynced options to local directive
  * Add sanity checks for integer values in configuration
  * Add support for systemd Type=notify service
  * Add RTC refclock driver
  * Allow PHC refclock to be specified with network interface name
  * Don’t require multiple refclock samples per poll to simplify filter
    configuration
  * Keep refclock reachable when dropping samples with large delay
  * Improve quantile-based filtering to adapt faster to larger delay
  * Improve logging of selection failures
  * Detect clock interference from other processes
  * Try to reopen message log (-l option) on cyclelogs command
  * Fix sourcedir reloading to not multiply sources
  * Fix tracking offset after failed clock step
  * Drop support for NTS with Nettle < 3.6 and GnuTLS < 3.6.14
  * Drop support for building without POSIX threads

  * Update to version 4.6.1:

  * Add ntsaeads directive to enable only selected AEAD algorithms for NTS.
  * Negotiate use of compliant NTS keys with AES-128-GCM-SIV AEAD algorithm.
  * Switch to compliant NTS keys if first response from server is NTS NAK.

  * Drop rcFOO symlinks for CODE16 (PED-266).

  * Update to version 4.6:

  * Add activate option to local directive to set activation threshold
  * Add ipv4 and ipv6 options to server/pool/peer directive
  * Add kod option to ratelimit directive for server KoD RATE support
  * Add leapseclist directive to read NIST/IERS leap-seconds.list file
  * Add ptpdomain directive to set PTP domain for NTP over PTP
  * Allow disabling pidfile
  * Improve copy server option to accept unsynchronised status instantly
  * Log one selection failure on start
  * Add offset command to modify source offset correction
  * Add timestamp sources to ntpdata report
  * Fix crash on sources reload during initstepslew or RTC initialisation
  * Fix source refreshment to not repeat failed name resolving attempts

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.1  
    zypper in -t patch SUSE-SLE-Micro-6.1-306=1

## Package List:

  * SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64)
    * chrony-debugsource-4.8-slfo.1.1_1.1
    * chrony-4.8-slfo.1.1_1.1
    * chrony-debuginfo-4.8-slfo.1.1_1.1
  * SUSE Linux Micro 6.1 (noarch)
    * chrony-pool-suse-4.8-slfo.1.1_1.1
    * chrony-pool-empty-4.8-slfo.1.1_1.1

## References:

  * https://bugzilla.suse.com/show_bug.cgi?id=1246544

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20251024/e2c11491/attachment.htm>

More information about the sle-updates mailing list